WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#11848 closed defect (bug) (worksforme)

bug in apache_mod_loaded()

Reported by: Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9
Component: General Keywords: has-patch
Focuses: Cc:

Description (last modified by Denis-de-Bernardy)

If apache functions are available, we should not return the default value in apache_mod_loaded().

as things stand, get_mod_rewrite() would return true even if apache_get_modules() says otherwise.

also, phpinfo() is part of php core.

Attachments (2)

11848.diff (813 bytes) - added by Denis-de-Bernardy 4 years ago.
11848.2.diff (838 bytes) - added by Denis-de-Bernardy 4 years ago.

Download all attachments as: .zip

Change History (13)

Denis-de-Bernardy4 years ago

comment:1 Denis-de-Bernardy4 years ago

  • Description modified (diff)

tested with apache_get_modules() turned on. needs testing with it off, and with php loaded as cgi.

comment:2 dd324 years ago

some webhosts disable phpinfo() when they dont want the users to know the details of the setup.

As crazy as it may sound.

Denis-de-Bernardy4 years ago

comment:3 Denis-de-Bernardy4 years ago

patch updated to reflect that.

comment:4 sivel4 years ago

See also #11604

comment:5 sirzooro4 years ago

I think it will be good to check this path on setup with PHP Suhosin - I know that this hardening patch adds some protection for phpinfo().

comment:6 Denis-de-Bernardy4 years ago

sirzooro: I did that already. though again, with the apache loaded function. if suhosin hides the modules, or disables the function, that's fine too. it just returns the default.

my issue with the current code is that it'll return true to get_mod_rewrite() even if apache_get_modules() makes it 100% certain that mod_rewrite is not around.

comment:7 ryan4 years ago

According to [7508] we return the default on purpose. #6278 doesn't really explain why other than to note it was done to restore the previous default for got_mod_rewrite().

comment:8 ryan4 years ago

This might explain why we only rely on confirming presence (but not absence) of a mod with apache_get_modules().

http://core.trac.wordpress.org/ticket/11604#comment:3

comment:9 Denis-de-Bernardy4 years ago

yeah. and hakre mentioned that in a fast cgi environment, it's pretty much impossible to detect an aapche module using simple functions.

I think we should consider applying different logic for get_mod_rewrite(). Here's what I just committed to the health-check plugin:

http://plugins.trac.wordpress.org/changeset/192787/health-check

comment:10 nacin4 years ago

Tools > Network uses both got_mod_rewrite() and apache_mod_loaded() rather effectively. I don't think we should add much more to core for this. I think the perfect place for the code in the health check plugin is the health check plugin.

comment:11 nacin4 years ago

  • Milestone 3.0 deleted
  • Resolution set to worksforme
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.